// freethedsp by geohot
// (because the DSP should be free)
// released under MIT License
// usage instructions:
// 1. Compile an example from the Qualcomm Hexagon SDK
// 2. Try to run it on your phone
// 3. Be very sad when "adsprpc ... dlopen error: ... signature verify start failed for ..." appears in logcat
// ...here is where people would give up before freethedsp
// 4. Compile freethedsp with 'clang -shared freethedsp.c -o freethedsp.so' (or statically link it to your program)
// 5. Run your program with 'LD_PRELOAD=./freethedsp.so ./<your_prog>'
// 6. OMG THE DSP WORKS
// 7. Be happy.
// *** patch may have to change for your phone ***
// this is patching /dsp/fastrpc_shell_0
// correct if sha hash of fastrpc_shell_0 is "fbadc96848aefad99a95aa4edb560929dcdf78f8"
// patch to return 0xFFFFFFFF from is_test_enabled instead of 0
// your fastrpc_shell_0 may vary
# define PATCH_ADDR 0x5200c
# define PATCH_OLD "\x40\x3f\x20\x50"
# define PATCH_NEW "\x40\x3f\x00\x5a"
# define PATCH_LEN (sizeof(PATCH_OLD)-1)
# define _BITS_IOCTL_H_
// under 100 lines of code begins now
# include <stdio.h>
# include <dlfcn.h>
# include <assert.h>
# include <stdlib.h>
# include <unistd.h>
// ioctl stuff
# define IOC_OUT 0x40000000 /* copy out parameters */
# define IOC_IN 0x80000000 /* copy in parameters */
# define IOC_INOUT (IOC_IN|IOC_OUT)
# define IOCPARM_MASK 0x1fff /* parameter length, at most 13 bits */
# define _IOC(inout,group,num,len) \
( inout | ( ( len & IOCPARM_MASK ) < < 16 ) | ( ( group ) < < 8 ) | ( num ) )
# define _IOWR(g,n,t) _IOC(IOC_INOUT, (g), (n), sizeof(t))
// ion ioctls
# include <linux/ion.h>
# define ION_IOC_MSM_MAGIC 'M'
# define ION_IOC_CLEAN_INV_CACHES _IOWR(ION_IOC_MSM_MAGIC, 2, \
struct ion_flush_data )
struct ion_flush_data {
ion_user_handle_t handle ;
int fd ;
void * vaddr ;
unsigned int offset ;
unsigned int length ;
} ;
// fastrpc ioctls
# define FASTRPC_IOCTL_INIT _IOWR('R', 6, struct fastrpc_ioctl_init)
struct fastrpc_ioctl_init {
uint32_t flags ; /* one of FASTRPC_INIT_* macros */
uintptr_t __user file ; /* pointer to elf file */
int32_t filelen ; /* elf file length */
int32_t filefd ; /* ION fd for the file */
uintptr_t __user mem ; /* mem for the PD */
int32_t memlen ; /* mem length */
int32_t memfd ; /* ION fd for the mem */
} ;
int ioctl ( int fd , unsigned long request , void * arg ) {
static void * handle = NULL ;
static int ( * orig_ioctl ) ( int , int , void * ) ;
if ( handle = = NULL ) {
handle = dlopen ( " /system/lib64/libc.so " , RTLD_LAZY ) ;
assert ( handle ! = NULL ) ;
orig_ioctl = dlsym ( handle , " ioctl " ) ;
}
int ret = orig_ioctl ( fd , request , arg ) ;
// carefully modify this one
if ( request = = FASTRPC_IOCTL_INIT ) {
struct fastrpc_ioctl_init * init = ( struct fastrpc_ioctl_init * ) arg ;
// confirm patch is correct and do the patch
assert ( memcmp ( ( void * ) ( init - > mem + PATCH_ADDR ) , PATCH_OLD , PATCH_LEN ) = = 0 ) ;
memcpy ( ( void * ) ( init - > mem + PATCH_ADDR ) , PATCH_NEW , PATCH_LEN ) ;
// flush cache
int ionfd = open ( " /dev/ion " , O_RDONLY ) ;
assert ( ionfd > 0 ) ;
struct ion_fd_data fd_data ;
fd_data . fd = init - > memfd ;
int ret = ioctl ( ionfd , ION_IOC_IMPORT , & fd_data ) ;
assert ( ret = = 0 ) ;
struct ion_flush_data flush_data ;
flush_data . handle = fd_data . handle ;
flush_data . vaddr = ( void * ) init - > mem ;
flush_data . offset = 0 ;
flush_data . length = init - > memlen ;
ret = ioctl ( ionfd , ION_IOC_CLEAN_INV_CACHES , & flush_data ) ;
assert ( ret = = 0 ) ;
struct ion_handle_data handle_data ;
handle_data . handle = fd_data . handle ;
ret = ioctl ( ionfd , ION_IOC_FREE , & handle_data ) ;
assert ( ret = = 0 ) ;
// cleanup
close ( ionfd ) ;
}
return ret ;
}
